pfSense Routes While Untangle Protects

I’ve been using Untangle as my router since June and don’t have any complaints, It’s worked well as a router an unified threat manager (UTM). I also took the plunge and subscribed to Kapersky AV for enhanced anti-virus scanning. But pfSense had been my first choice as a router, although I had to abandon it since pfSense didn’t work with my DSL I stuck with Untangle as both a router and UTM. Now that DSL was gone and there was a new version of pfSense it was time to try again. This time the plan is to run pfSense and Untangle each on their own HP MicroServer.

I’ve been using Untangle as my router since June and don’t have any complaints, It’s worked well as a router an unified threat manager (UTM). I also took the plunge and subscribed to Kapersky AV for enhanced anti-virus scanning. But pfSense had been my first choice as a router, although I had to abandon it since pfSense didn’t work with my DSL I stuck with Untangle. Now that DSL was gone and there was a new version of pfSense it was time to try again. This time the plan is to run pfSense and Untangle each on their own HP MicroServer.

Hardware

Untangle Server – This will be the same hardware, minus the dual port NIC, that has been running Untangle. There’s 2GB of RAM, which has proven to be more than enough even when working as a router and UTM. While Untangle is a bit more resource intensive than other solutions I could probably get by with 1 GB. I have the additional 1 GB stick and no other use for it so I might as well use it. The only hard drive is the 160 GB drive that came with the MicroServer. In addition to the onboard NIC I’ve installed a second NIC which is a run of the mill Intel NIC.

pfSense Server – This will be the same hardware as the Untangle server, 2 GB of RAM and the standard 160 GB hard drive. Even though I initially only need 2 NICs I have a dual port NIC I’ll add to this server and I’ll disable the onboard NIC. This will allow me to add another network segment down the road without having to open the server up again. The 2 GB of memory is even more overkill here. The minimum requirements are just 128 MB of RAM, with 512 MB recommended if some of the larger add-on packages are installed. Again, since I already have the second stick, I decide to use it. The network card is the StarTech Dual Port Gigabit NIC.

The Plan

Since I’ll be moving routers, and therefore DHCP servers since the routers did double duty, I’ll need to document the current scopes and address reservations. After that the plan is simple.

Shut down the Untangle server and remove the dual port NIC, but leave the software untouched for now.

Install the dual port NIC in the second MicroServer and install pfSense

Once pfSense is running as a router reset Untangle to run in bridge mode

The end result will look like this:

pfSense – Initial Problems – Eventual Success

I had some problem right out of the gate.

I decided to try configuring RAID 0, again mainly because I already had a matching drive. But this didn’t work. With RAID 0 configured, the pfSense CD went into a never ending reboot cycle. As soon as it started loading it would reboot. I didn’t spend much time working on this since RAID wasn’t a priority for me on this box, especially RAID via BIOS which I’ve never really trusted.

I rebooted again after turning off RAID in the BUOS. This time I got as far as the menu to select what I wanted to do – continue the live CD boot or install to the hard drive. I let the live CD boot continue but then the startup simply stopped with a error. I booted again but this time during the boot I didn’t accept the default boot option but instead picked the “Boot From USB Device” option since it was a USB CD drive, This did the trick.

Now I was able to boot the live CD and get it running as a router, getting me back on the internet. But my problems weren’t over yet. When I selected the option to install to the hard drive I received an error code 11 during the file copy. Setting the drive controller to IDE mode, and trying a second hard drive resulted in the same error at the same time. Google and pfSense forum searches for the error didn’t provide any help. I skipped through the error and ended up with a working router, but the web interface didn’t work properly. Long story short, while researching the possibility of a bad CD I stumbled upon a pfSense 1.3 CD and accidentally booted from it. So I decided to keep going and sure enough after getting it working as a router it installed to the hard drive just fine.

After having pfSense 1.3 running from the hard drive I was able to upgrade to pfSense 2 through the pfSense console. The upgrade went just fine and I had the pfSense router working just fine from the hard drive. So it was on to Untangle.

Untangle – Easy Enough

Once pfSense was working I was comfortable tackling Untangle since I no longer needed it as a router. I needed to change it to bridge mode so it would no longer function as a router or DHCP server. I could do it by either disabling the unneeded services or reseting to the factory defaults and running the setup wizard again. I chose the factory reset option as the safest route. Since I removed the network card that had the LAN connection I attached a monitor and keyboard to the Untangle server and booted it up. I selected the factory reset option from the console.

After the factory reset I just had to run the setup wizard and select bridge mode.

Installation Notes

The factory reset preserved my Untangle license for Kaspersky so I didn’t have to go through any re-registration process.

The setup wizard was a little confusing, The first screen required me to assign the NIC ports as external and internal and implies an internet connection. I assigned the external as the port connecting to pfSense and the internal as the one going to the switch.

The next screen asked me to configure the WAN (internal port). I selected a static IP addresses and entered in 192.168.1.2 (the pfSense LAN port to Untangle is 192.168.1.1). I used the pfSense IP address as the router address. It wasn’t until the next screen where I was asked to select Bridge or Router mode. Once bridge was selected there wasn’t any option to configure the second port (since they both have the same IP address).

Most current NICs automatically sense the connection type so I could use a regular ethernet cable to link the pfSense server to the Untangle server without needing a crossover cable or a switch.

Selecting the appropriate pfSense CD to install was the hardest part. There are multiple selections with little guidance, I used fSense-2.0-RELEASE-i386.iso.gz.

Since the HP MicroServer has a dual core CPU I selected the SMP kernel when asked during the pfSense installation.

[Added Oct 10] – I needed to re-select the network type on all my Windows 7 computers as well as a Windows 2008 R2 server I was running.

A diagram showing the setup is below:

I haven’t installed any added pfSense packages and the rest of the settings are still using the defaults. I look forward to playing around with pfSense and it’s optional packages bit out of the box it seems to be working fine.

Wrapping Up & Additional Information

The HomeServerShow.com website and forums have a bunch of information, mainly around installing both pfSense and Untangle on the same hardware via virtual machines. Start with the Super Router article or search for “Super Router”, pfSense, or Untangle. Earlier in the year when I started looking at a software router I was able to install both pfSense and Untangle as virtual machines running on Citrix XenServer. But I decided to go with two dedicated computers as a less complicated, slightly more secure solution. Less secure in the sense that the VM host wasn’t on the internet side of the firewall and potentially vulnerable (although admittedly unlikely).

Neither pfSense or Untangle is targeted at home users. This is more noticeable in pfSense in the lack of tutorials for the basics. Right from the beginning it’s noticeable as there are a couple dozen files available to download with no real indication of which to use and when. But with that said, and despite my specific speed bumps, the pfSense install itself is straightforward and result in an out of the box install that exceeds the capabilities of any store bought router and does “just works”. There’s also a active forum.

Untangle provides a GUI interface so it has a friendlier face. The GUI does add to the overhead makes the settings that aren’t front and center harder to find.

Admittedly this is overkill for a home network. But after running up against my bandwidth cap a couple of months I want more control and visibility into the bandwidth. Untangle was a start but pfSense has more features and charts than I’ll ever need so if nothing else, it will be more to play with. While a VM solution makes it easy to swap test machines in and out, the swappable drives of the HP MicroServers give me the same flexibility. The swappable drives are another reason I haven’t looked for smaller form-factor PCs to run pfSense and Untangle.

@Durian – Check out the Home Server Show website. Search for “Super Router” on the site and in the forums. This article on the site was the first one about installing pfsense and untangle in a virtual environment. In that case ony two nics were required as the pfSense to Untangle connection was a virtual NIC. The forums have discussion on more variations in software and configuration and you may find someone who is doing or tried what you want to do.

In this configuration it doesn’t really add any overhead. pfSense is doing the routing and is efficient at doing that. Untangle is just set for pass-through and doesn’t do any routing, just filtering and related services. Having said that, I no longer use Untangle. I did find it to be slightly slower than other products, adding pfSense didn’t change that one way or the other. Removing Untangle sped things up a bit except in those times when the proxy caching helped, which wasn’t very often for me.